More details on the impact and exploitability of the last Ruby-On-Rails SQL injection #CVE-2012-5664

Just a quick write-up on this, I will probably do an exercise on it soon, like I did for the previous bug in ActiveRecord . It's pretty trivial to exploit if you have the right condition... The right condition being: the ability to send symbols to activerecord. When you read the advisory, you could think that this bug could be exploited by only doing something around: http://vulnerable/?id[select]=SQL . However, ActiveSupport (a Rails core library that is used by ActiveRecord) prevents this since it ensures the keys are valid, and make sure the keys are symbols : def assert_valid_keys (* valid_keys ) unknown_keys = keys - [ valid_keys ]. flatten raise ( ArgumentError , " Unknown key(s): #{unknown_keys.join(", ")} ") unless unknown_keys . empty? From my testing the following keys are valid: :conditions, :include, :joins, :limit, :offset, :extend, :order, :select, :readonly,...